Legitimate cryptomining programs ask users for permission to run. Malicious versions don’t, opting instead to quietly leach a computer’s resources. SophosLabs is seeing more of the latter variety, with a new twist:
Instead of showing up as executable files, they take the form of scripts hidden on websites, mining for cryptocurrency in the browser. Visitors to these sites see no evidence of the mining. The only clues that something may be amiss are their computer slowing down and their fans revving up.
A clear example of this is Coinhive, a Monero miner that first appeared in mid-September. The number of sites hiding it has steadily increased in recent weeks, as cryptocurrency values have taken a wild trajectory skyward.
Sophos CTO Joe Levy explains why:
Our position is that when this software is run in any user’s browser without an organization’s consent, it is parasitic, and should be considered malware because we don’t have something called parasiteware today. In instances where an organization really wants to donate its CPU/GPU cycles, and where the mining operation has gone to sufficient lengths to enable vendors like us to easily differentiate between consensual and non-consensual versions, then we can have a discussion about different classifications.
Cryptomining takes a sinister turn
Cryptomining is a process used to discover Bitcoin, Monero, and such other cryptocurrencies as Ethereum and Litecoin. It requires massive amounts of computer processing power, which slows down performance and leaves wear and tear.
This wasn’t always a problem because the activity was largely limited to those who chose to do it. That began to change as cryptocurrency prices skyrocketed. A single Bitcoin was worth $1000 at the start of 2017 and was valued at around $17,000 by year’s end.
Cyber thieves have taken notice and started using cryptominers to make money.
Coinhive also works on mobile devices and over short periods the user may notice the device’s temperature increasing dramatically.
Coinhive rises with cryptocurrency values
As the value of such cryptocurrencies as Bitcoin (BTC) and Monero (XMR) skyrocketed in the last couple of weeks, SophosLabs has noticed a steady rise in sites using Coinhive scripts.
Coinhive markets itself as an alternative source of revenue to advertisements.
It’s this sort of activity that is leading Sophos to take a tougher stance.
From PUAs to malware
As noted above, we previously detected cryptominers as PUAs (Potentially Unwanted Applications), which meant no automatic cleanup. Admins were instead presented with alerts for PUA detections and could manually choose from three possible options: Cleanup, Authorize or Acknowledge.
What to do
Sophos customers can block cryptominers by using the Web Control features included in our Endpoint and Network Protection products.
Once enabled, blocking websites categorized as “Hacking” will stop users from visiting the offending sites.